Here's some sad news: the most commonly used password in the world is still "123456."
This depressing statistic comes from a study by Turkish researcher Ata Hakçıl, who analyzed over 742 million passwords revealed in numerous data breaches over the past few years and posted his findings on GitHub. Of these passwords, "123456" appears 5.3 million times, or one in every 138 passwords.
Of the 742 million entries, there were only 169 million unique passwords. The 1,000 most common passwords accounted for 6.6% of the total, and passwords found only once accounted for less than 9% of the total.
There was a bit of good news: the average password length was 9.48 characters, meaning that all the nagging to create longer passwords has paid off.
By contrast, the median (if not the average) length in the famous 2009 RockYou data breach was about 7 characters. (Hakçıl chose not to include the 32 million RockYou entries.)
UPDATE: Playing with the RockYou statistics in this report from Imperva, the average length of RockYou passwords was approximately 7.41 characters.
But even so, the bad news far outweighs the good: the most used password in the RockYou database is also "123456." In fact, of the top 20 old RockYou passwords entered between 2005 and 2009, seven are also on Hakçıl's new top 20 list: 123456, 12345, 123456789, iloveyou, 1234567, 12345678, abc 123.
Two other words, "Password" and "Qwerty" are in RockYou's Top 20, while "password" and "qwerty" are in Hakçıl's Top 20. (It is unclear why this was the case, but RockYou may have required the inclusion of capital letters at some point.)
Only 12% of the passwords surveyed by Haktil included "special" characters, such as punctuation, that are found on a typical QWERTY keyboard but are not letters or numbers. The inclusion of such characters can help strengthen passwords against password crackers.
In contrast, about 29% of passwords consisted only of letters, with more than 26% of all passwords using only lowercase letters; more than 13% used only numbers; and more than 25% used only "special" letters.
As an indication of how people form passwords, more than 34% of mixed letter-number passwords ended with a number (e.g., "qwerty123"), while only 4.5% began with a number.
Hakchur found one surprising thing--as many as 763,000 10-character dingy passwords still followed a predictable pattern.
"They all begin and end with a capital letter. None of them seem to contain keyboard patterns or meaningful words."
The passwords appear to have been generated mechanically, but some of them appear to have been reused, perhaps indicating a flaw in the password generation algorithm.
"I have no idea what this could find and what it could mean, but I suspect that some password manager is creating low entropy passwords and using them repeatedly across many users," Hakçıl wrote. I welcome and appreciate all ideas on this."
Hakçıl started with about a billion pairs of credentials (passwords and usernames), but had to discard more than 257 million pairs because they were unreadable or clearly test accounts.
To reliably limit the scope of data breaches to the security of your account, make sure all passwords are long, strong, and unique.
Ideally, however, you want a password that is at least 15 characters long, made up of absolute gibberish, including all four types of characters found on a typical QWERTY computer keyboard.
To create and remember such passwords, and to ensure that none of them are repeated, there is no better solution than to use the best password manager available.
Here are the 100 most common passwords according to Hakchur's analysis. Do not use these passwords for your account.
.
Comments